|
|
|
 |
Vulnerability Note VU#426273KTH Kerberos filesystem race condition on tickets stored in /tmpOverviewThere may be a race condition during the creation of Kerberos ticket files in the /tmp directory. This race condition may allow intruders with local access to the system to gain root privileges.I. DescriptionDuring the creation of ticket files in the /tmp directory, a sequence of calls occur which may allow a local attacker to replace the ticket file with a symbolic link. If this symbolic link is followed when the ownership of the ticket file is set, the attacker may be able to gain ownership of files initially owned by root.II. ImpactOn systems where the sticky bit is not set on the /tmp directory, a local attacker can gain ownership of any file on the system. This allows the attacker to gain root privileges.This attack may also be possible on systems where the /tmp directory does have its sticky bit set, depending on the exact sequence of calls used to create and set the ownership of the Kerberos ticket file.
References
Thanks to Jouko Pynnönen for reporting this vulnerability to the CERT/CC, and to Assar Westerlund for assisting in the development of this document. This document was written by Cory F Cohen.
If you have feedback, comments, or additional information about this vulnerability, please send us
email. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Get Adobe Reader